The present invention relates generally to authentication of a user with a server. More specifically, it relates to a method and system for registration and authentication of the user using a processor card with the server over a public network.
Users access the Internet on a daily basis for various services such as banking services, online bookings, financial transactions, etc. These services are provided by the servers hosted by each service provider. The users, in order to avail such services and to maintain data security, have to get registered with the servers that provide these services. Presently, the user identification and password details are sent to the users either by a post or an email, and they are allowed to access the server only after receiving these login details. Hence, there is a possibility of intercepting the login details, termed as a forgery attack. The login details, once intercepted, can be used by the unauthorized people repeatedly to access to the server, resulting in a replay attack.
Further, in order to access the server, the user gets authenticated by the server based on his login details. Lamport first introduced the hash based password authentication system to avoid the guesswork for passwords by unauthorized people. However, the required computation increases the computational load on the server. Furthermore, the server maintains all the login details of the user required for authentication, consuming various resources at the server. Maintaining the login details of the users at the server may also suffer from an insider attack, whereby the login details may be intercepted and the server may be accessed by unauthorized people. To overcome the problems of computational load and security, the users are provided with a processor card, for example, a smart card, in addition to the passwords for authentication purposes. The processor card provides an efficient way of hash-function based authentication, and decreases the computational load on the server for decrypting the password. However, the registration of the processor card with the server requires an offline channel, and the login details have to be sent to the users either through a post or an email. The offline channel generally includes filling various forms provided by the service providers so as to register the user with the server. Also, the server requires a secure channel for authenticating the user using the processor card. The requirement of a secure channel further increases the utilization of resources at the server.
Modern authentication systems also involve the login details resetting problems. Login details are initially selected at the server, and are thereby provided to the users. Later, the users are provided with the options of changing the login details according to their preferences. Since, the login details are maintained at the server, a user has to send his preferred login details to the server, before he can use them for subsequent authentications. Further, a secure channel is required for sending these login details to the server in order to avoid forgery attacks.
In light of foregoing discussion, there is a need for a method and a system which may decrease the computational load on the server and enhance the security level during a transaction with the server. Further, the method should also obviate the need of any offline or secure channel for both, registration and authentication. Furthermore, the method should eliminate the need of storing the login details at the server and in turn, decrease the utilization of resources at the server.